Share

Why The OPM Breach Is Such a Security and Privacy Debacle

The Theodore Roosevelt Building, headquarters of the U.S. Office of Personnel Management (OPM), in Washington, D.C.

Andrew Harrer/Bloomberg/Getty Images

If it's not already a maxim, it should be: Every big hack discovered will eventually prove to be more serious than first believed. That's holding to be especially true with the recently disclosed hack of the federal Office of Personnel Management, the government’s human resources division.

It turns out the hackers, who are believed to be from China, also accessed so-called SF-86 forms, documents used for conducting background checks for worker security clearances. The forms can contain a wealth of sensitive data not only about workers seeking security clearance, but also about their friends, spouses and other family members. They can also include potentially sensitive information about the applicant’s interactions with foreign nationals—information that could be used against those nationals in their own country.

What's more, in initial media stories about the breach, the Department of Homeland Security had touted the government's EINSTEIN detection program, suggesting it was responsible for uncovering the hack. Nope, also wrong.

The repercussions could be much graver than anyone thought.

Although reports are conflicting about how the OPM discovered the breach, it took investigators four months to uncover it, which means the EINSTEIN system failed. According to a statement from the OPM, the breach was found after administrators made upgrades to unspecified systems. But the Wall Street Journal reported today that the breach was actually discovered during a sales demonstration by a security company named CyTech Services (paywall), showing the OPM its forensic product.

There are also some questions now about the number of people affected by the breach. Bloomberg and the Associated Press report that the figure may be closer to 14 million—affecting not only current and federal employees but also military, intelligence and government contractor staff going back to the 1980s. But others are disputing this.

As more information comes out about the kinds of information the hackers accessed, the repercussions could be much graver than anyone thought.

The Potential for Blackmail

In its statements about the breach, including a phone recording played for any federal worker who calls seeking more information, the OPM has emphasized that it’s offering victims of the breach credit monitoring, a protection usually offered for financial breaches. It’s only confirmed that basic personal information was stolen, such as names, social security numbers, date and place of birth, and current and former addresses.

But in fact, the data accessed by the intruders may be far broader. The 127-page SF-86 forms believed to have been accessed by the hackers also includes financial information, detailed employment histories—with reasons for past terminations included—as well as criminal history, psychological records and information about past drug use.

Federal background checks, after all, are meant to suss out information that might be used by foreign enemies to blackmail a government staffer into turning over classified information. And that stolen information could be used for exactly that extortion purpose, says Chris Eng, a former NSA staffer and now VP of research at the security firm Veracode. If the breached background check information goes beyond the SF-86 form, it could even include detailed personal profiles obtained through polygraph tests, in which employees are asked to confess law breaking and sexual history. ”They write it all down and it goes into your file. If OPM had any of that stuff, it could be super damaging. You’d know exactly who to go after, who to blackmail,” Eng says. “It could be very damaging from a counterintelligence and national security standpoint.”

The OPM had no IT security staff until 2013, and it showed.

There’s another concern even beyond that blackmail risk. SF-86 forms can include a list of foreign contacts with whom a worker has come in contact. Diplomats and other workers with access to classified information are required—depending on their job—to provide a list of these contacts. There is concern that if the Chinese government got hold of lists containing the names of Chinese nationals who had been in touch with US government workers, this could be used to blackmail or punish them if they had been secretive about the contact.

Security Failures and Angry Victims

The OPM had no IT security staff until 2013, and it showed. The agency was harshly criticized for its lax security in an inspector general’s report released last November that cited its lack of encryption and the agency’s failure to track its equipment. Investigators found that the OPM failed to maintain an inventory list of all of its servers and databases and didn’t even know all the systems that were connected to its networks. The agency also failed to use multi-factor authentication for workers accessing the systems remotely from home or on the road.

The millions of victims of the OPM breach are already expressing their anger over the massive data spill. J. David Cox, the president of the union of federal government employees, has written a strongly worded letter to OPM director Katherine Archuleta lambasting the security mismanagement that led to the breach and the agency’s response to it. “I understand that OPM is embarrassed by this breach,” Cox writes. “It represents an abysmal failure on the part of the agency to guard data that has been entrusted to it by the federal workforce.”

Cox’s letter points to what appears to be a lack of encryption protecting the breached personal data, “a cybersecurity failure that is absolutely indefensible and outrageous.” And he also criticizes OPM’s offer of credit monitoring as a response to the breach as “entirely inadequate, either as compensation or protection from harm.”

An OPM spokesperson declined to comment on the record, and instead pointed to an FAQ on the agency’s website. That page says the agency’s “continuously working to identify and mitigate threats when they occur. OPM evaluates its IT security protocols on a continuous basis to make sure that sensitive data is protected to the greatest extent possible.” It declines to offer details of which systems were breached, citing the ongoing investigation of the hack by law enforcement.

The FAQ does admit, however, that the OPM still isn’t certain it’s even discovered the full extent of the intrusion. “It is important to note that this is an ongoing investigation that could reveal additional exposure,” the statement reads. “If that occurs, OPM will conduct additional notifications as necessary.”

For millions of federal workers already reeling from the growing breach in their personal privacy, those words are hardly comforting.

Update at 11:09 am ET 6/12/15: To add information from Bloomberg about the number of people possibly affected by the breach.Update at 5:06 pm ET 6/12/15: To add an Associated Press report backing Bloomberg's claim, and to add that the background check information of military and intelligence staff may also be included in the breach.